Mobile privacy debate reignites over hidden smartphone app

A controversy over smartphone privacy has reignited following a coder's recent post detailing how a hidden software application on Android-based HTC phones can collect a range of information about the user's activities.

The client program is from a venture-funded company called Carrier IQ out of Mountain View, Calif.. It created software, dubbed by one security researcher as a classic rootkit, to collect a variety of "operational" data about the phone's usage, ostensibly to let carriers identify radio, performance and usage problems and correct them.

But a number of programmers have been trying to delve into the details of how Carrier IQ actually works, and what information it accesses. The most detailed account was posted earlier this month by Trevor Eckhart, who lists his job as IT director and is part of the XDA-developers.com Website of Android and Windows Phone users and programmers. He blogged about what he discovered, surmised, and questioned in a two-part post, starting here, at his own Website, AndroidSecurityTest.com.

Last March, another XDA member, called k0nane, apparently was the first to actually take note of the Carrier IQ application on Sprint-based Samsung phones.

Complementing Eckhart's post, was one by Geek.com's Brian Holly, who elaborated on some parts of Eckhart's post, adding some context about CarrierIQ the company, and detailed the responses, or the lack thereof, by the software vendor, HTC (Eckhart used his own HTC Evo for this demo), and Sprint. Most of the comments were unsupported, general assurances that these companies could not analyze, or were not analyzing, detailed user information and activities.

Eckhart quotes from Carrier IQ's own materials, including the patent application, to define the intended scope of the software application. From the patent filing: "Carrier IQ is able to query any metric from a device. A metric can be a dropped call because of lack of service. The scope of the word metric is very broad though, including device type, such as manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user's pressing of keys on the device, usage history of the device, including those that characterize a user's interaction with a device."

To do this, Carrier IQ provides an embedded client on the mobile device and server-based analytics applications. According to the vendor's documentation, these analytics give administrators details about performance and usage characteristics.

The program, says Eckhart, is a "rootkit" or software that gives a user privileged access to a computer's functions. "Carrier IQ...listens on the phones for commands contained in "tasking profiles" sent a number of ways and returns whatever "metric" was asked for," he writes.

At the same time, at least on the HTC phone Eckhart used, the presence of Carrier IQ is hidden, or at least buried, from the surface of the user interface. One issue that pundits and privacy advocates have focused on is that most handset makers and carriers don't inform users that this information is being collected, or, if they do, give them the ability to block the collection.

According to Eckhart, Verizon apparently is alone in describing this process in a privacy policy, and giving users an "opt-out" option.

Holly, at Geek.com, contacted Jason Gertzen of Sprint's corporate PR department for comment on how the carrier handles Carrier IQ data. "Gertzen assured me that Sprint was unable to look at the contents of messages, photos, or videos using the Carrier IQ tools. He also noted that the information that is collected is not sold, and that no one but Sprint has access to a direct feed of the data they collect. Gertzen was unwilling to comment as to why Sprint was unwilling to provide an opt-out for the service, stating only that Sprint relies on Carrier IQ to help maintain network performance."

Holly noted that Sprint's privacy policy acknowledges the carrier monitors systems and services and will "anonymize or aggregate personal information for various purposes like market analysis or traffic flow analysis and reporting". The policy also says Sprint will share the information with outside companies in order to deliver targeted advertising to users based on their interests.

Eckhart created a 17-minute YouTube video that demonstrates some of the capabilities of Carrier IQ. At about 8:41, he starts to show log entries from his HTC phone that clearly show references to one or more Carrier IQ components. His most incendiary suggestion is that Carrier IQ can and does see and record individual keystrokes.

But the video is actually unclear, at least to viewers without a deep programming or security background, about whether the Carrier IQ client is seeing, or if it is, whether it's recording the keystrokes in the log.

And that's just the point that someone identified as "security researcher" Dan Rosenberg made in a posting at Pastebin.com, being cited in a range of online reports including this one at NPR.com. Rosenberg says he has reverse engineered the application, and sees "no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data." He goes on: "There's a big difference between 'look, it does something when I press a key' and 'it's sending all my keystrokes to the carrier!'. Based on what I've seen, there is no code in Carrier IQ that actually records keystrokes for data collection purposes."

In a statement issued last week, in direct response to the controversy ignited by Eckhart's posts, the software vendor reiterated its insistence that nothing of the sort is happening: "While we look at many aspects of a device's performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools. The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties. The information derived from devices is encrypted and secured within our customer's network or in our audited and customer-approved facilities."

Carrier IQ's other response was to serve Eckhart with a cease-and-desist letter, which went public when he turned to the Electronic Freedom Foundation (EFF) for help. Eckhart had downloaded and then mirrored publicly accessible training documents on the Carrier IQ Website, containing more details about how the vendor's software worked. According to the EFF post, "Carrier IQ immediately made the files unavailable, but it didn't stop there. Carrier IQ fired off a cease-and-desist letter (pdf) to Eckhart, claiming that he infringed its copyrights and made unspecified 'false allegations' about its software. Among other things, the company demanded that Eckhart turn over contact information for every person who had obtained the files from him, and that he replace his analysis with a statement—written for him by Carrier IQ—disavowing his research."

On Nov. 23, about a week after Eckhart's postings, Carrier IQ issued a statement that it had withdrawn the cease-and-desist letter and had apologized to both Eckhart and the EFF.

Predictably, the presence of the software, and especially its alleged key-logging capability, has triggered outrage. "I mean, what kind of permissible purpose is out there that can allow a company to legally place a key logger on something and use it when you are not even getting service out of them?" fulminates egzthunder1, a poster at XDA-developers. "This is a clear infringement of consumer rights down to its core. Not being able to opt out is downright ridiculous and we would like to request that this is fixed in upcoming devices and software updates."

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.